votes

#TeamHogue

votes

#TeamGrossman

votes

Preston Hogue

We’ve outgrown the original concept of application security. In the late ’90s, most applications weren’t used on the Internet, so security was focused on the software development lifecycle and making sure that developers were following best practices for secure coding.

Secure code is still a big part of application security, but it’s not the whole picture. We need to take a much broader view of the topic. The way I see it, we should take a risk-based approach, analyzing all the components that make up an application, and then develop a strategy that delivers the most security to the app as a whole. Because when one component of an app is compromised—whether it’s a code vulnerability, network availability, SSL, or DNS—the entire application, as well as the data it houses, is affected.

For example, think about availability. Today, most apps are Internet-based, so a volumetric DDoS attack can cripple, or even take down, an application. Now, that’s got nothing to do with secure code, but it’s vitally important to the overall health of your application because no one can get to it.

Or what if a password gets stolen? Confidentiality has nothing to do with secure code, either. But your app is still compromised and your data can be exposed. That’s why we need to apply the core principles of confidentiality, integrity, and availability to all components of an application, identify weaknesses where they occur, and fix them.

Looking at application security from a risk-based perspective lets you focus on component failures and helps you provide the most robust security for the data that’s the ultimate target of most attacks.

Data theft has become so common today because attackers have a convenient way to get to it: the application. Using a risk-based approach lets you to focus on what’s most important to your business, whether it’s preventing someone from defacing your web site or protecting against data breaches. This risk-based approach strengthens your overall security posture while also making sure you get the most value from the money you’re spending.

Here’s the thing: 72 percent of all attacks happen at the application level, but companies spend only 10 percent of their security budget on application security. That just doesn’t make sense.

With the exponential growth of the Internet of Things and the applications that go along with it, this issue is rapidly getting more complex. In 2010, there were 200 million web apps; today, it’s a billion. In 2020, it could easily be 5 billion. All those apps are vulnerability vectors. Just think about the Wi-Fi-enabled Barbie or a smart refrigerator and multiply that by 1,000. Or, 10,000.

That’s why it’s time to broaden our view of application security, so we’re in a better position to effectively secure all the components that make up our apps, safeguard our data, and protect our businesses.

jeremiah Grossman

If we had to create a simple visual, application security is about protecting what is seen within the walls of a web browser. More specifically, the websites where over two billion people shop, pay their bills, learn, share their most intimate secrets, find out where something is, and so much more.

It stands to reason that something this important, the web, has become the most common avenue of cyber-attacks. Another reason for this is that websites and web applications exist largely outside the sphere of traditional security protections like firewalls, antivirus software, and TLS/SSL encryption.

Imagine also that the source of greatest vulnerability and risk is also the area that people are the least focused on protecting. If you don’t agree, just follow the money. Organizations generally spend 90 percent of their security budget on firewalls and antivirus software. But the bulk of the risk, and the breaches we all read about, are predominately due to software that’s not secure, particularly web applications.

If cybersecurity is to get better, we have to change our way of thinking and understand that the primary job of application security is making sure that our software is secure.

Yes, I know it sounds so simple! Organizations must ensure that new websites and new software are coded securely, AND just as important, organizations must address the countless vulnerabilities that already exist in their websites. Websites that were built without any kind of secure software development lifecycle.

The problem is, even many security people really don’t understand how software is built and designed because their backgrounds and skill sets are often limited to network-layer security. It’s time to evolve.

For example, PCI DSS compliance requires that businesses protect themselves against the OWASP Top 10, so you have a bunch of people thinking that application security begins and ends with the Top 10. They’re just trying to check a box and say, OK, we’re done with app sec, let’s move on to the next thing.

That’s not how it works because that’s not how the bad guys work. The bad guys are quite happy and well-equipped to exploit websites using dozens of other techniques that aren’t on the OWASP Top Ten. Not to mention that no company has an OWASP Top Ten problem. It’s usually a Top 3-5 problem, and that varies greatly from organization to organization.

I constantly advise companies to invest more in developer education, performing static analysis, implementing web application firewalls, and other practices. I tell them to do anything except continue the status quo of spending large sums on firewalls and antivirus software. Anyone who is paying attention knows that won’t do anything to curtail the most common method of cyber-attack.

And in what seems to be a new trend surfacing, antivirus software itself is riddled with holes that can be exploited, and yet the industry spends $8 billion a year on it. That’s a lot of money spent on security software that makes us less secure. Let’s be clear, firewalls and antivirus have a place in the InfoSec ecosystem, it’s just that security budgets are grossly out of line with present-day risks and how business invests in IT. Furthermore, it’s imperative that more people working in the security community better understand software—and software security—if we’re going to effectively protect our applications and the underlying data.

Remember, finding and fixing vulnerabilities isn’t an academic exercise; it’s all about keeping a sentient attacker out of our systems and away from the data they protect. But without a clear picture of their adversaries, security professionals will have a difficult time developing effective strategies to defeat them.

I think the biggest driver of change will be the influence that cybersecurity insurance companies have on the way we practice not only application security, but all things computer security. As claims increase and insurers get more actuarial data, they’ll better understand the security measures companies were taking, as well as how the attackers breached the system.

At that point, insurance companies will be perfectly positioned to say, you must do application security this way or your premiums will go up. That’s going to be a wake-up call for the security community. And it might be the only way our outdated vision of application security is going to evolve.